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Zero Trust visibility and control of 
every SaaS application 


SaaS applications empower your 


teams to do more than ever before, isaac 

but the flexibility and freedom : 

they afford your workforce also 5 Shadow IT Discovery 

introduces security risks, visibility oem ess 

challenges, and access control 

hurdles for your organization. 

Client on Zero Trust Access Policy 

Cloudflare gives you the tools you Device 

need to protect your data and 

workforce while still allowing your f:i} 

employees to use the tools that Router in 

help them get the job done. Office Data Protection Controls 

Discover and control £5) Apply Zero Trust Apply tenant and data 
shadow IT access policy 1t protection controls 

Without visibility into the SaaS applications are hosted When employees access the 
applications your employees outside of the corporate wrong instance of applications, 
are using, you can’t control network, leaving your security they can share and store your 
how sensitive data is stored, teams with limited ability to data in the wrong places — 
shared, or exposed to third control how users access opening the door to potential 
parties. Cloudflare helps those applications and move data leaks and other security 
you discover, categorize, data in and out of them. risks. Cloudflare helps you 
and control all approved and Cloudflare layers Zero Trust control the sharing and storage 
unapproved applications security measures in front of your data, whether it is in 
within your organization, while of your SaaS applications, transit over our network or in-use 
logging every connection and authenticating legitimate users within our remote browser. Now, 
request in one centralized and preventing unauthorized you can build and deploy Zero 
location. users or risky devices from Trust browsing policies to protect 


accessing your files and data. the data that lives within any 
SaaS tenant, while keeping your 
employees from accessing the 
wrong applications or the wrong 
tenants of approved applications. 
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Discover and control shadow IT 


Evaluate the applications your employees use 


When your IT team can’t see the applications your employees are using, they 
can't control what happens to the data within those applications. Cloudflare 
aggregates and automatically categorizes all HTTP requests in our activity 
log by application type. From there, you can set the status and track the 
usage of both approved and unapproved apps across your organization. 


Log every connection and request 


Cloudflare helps mitigate the risks introduced to your organization when 
employees access unsanctioned applications or use unmanaged devices to 
access sensitive information. Every connection and request is logged in one 
central location, so you can see which applications are in use and what actions 
users are taking within them. Administrators also have the ability to block 
and allow requests to SaaS applications, preventing users from bypassing 
important security controls and gaining unauthorized access to apps, 
resources, and data across your organization. 


Analytics 


Access 


Key Features 


e Automatically track 
which applications have 
already been secured by 
Cloudflare 


e Retain logs for up to 6 
months in Cloudflare’s 
network 


e Push logs to one or more 
of your cloud log storage 
and SIEM services 
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Apply Zero Trust access policy to your SaaS applications 


Provide secure SaaS access through Cloudflare’s identity proxy 


SaaS applications are hosted by third parties and often managed by business 
units, which means your IT team often has little say over how users access 
those applications. Cloudflare sits between your identity provider and your 
SaaS applications, enabling you to build and apply identity-aware, context- 
driven Zero Trust rules to the login process — all without disrupting the 
end-user experience. 


Determine application permissions for user devices 


Your IT department needs granular control over the way corporate-managed 
devices log in to SaaS applications. Cloudflare inserts Zero Trust rules into 


the single sign-on process for all applications that support SAML authentication. 


Users first authenticate with their identity provider; then, Cloudflare checks 
the request against device posture and location before authorizing access to 
any SaaS app -- with flexible session management for continuous verification. 
Security administrators can also create device-specific policies, so users 
can only access applications via devices that meet pre-established security 
requirements, including mTLS certificates. 
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Identity Providers 


Key Features 
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Integrate multiple identity 
providers or multiple 
instances of the same 
provider 


Verify user identity with 
per-app rules (e.g. MFA 
requires hard key) 


Verify device posture with 
per-app rules (e.g. SWG 
policy enforced, EPP 
installed, mTLS certificate, 
disk encryption enabled) 
and location 


Cloudflare’s app launcher 
portal allows users to see 
and access all of their 
approved SaaS 
applications 


EE Microsoft 365 


workday. 


SaaS Apps 
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Apply tenant and data protection controls to any 
SaaS application 


Restrict access to non-corporate instances of applications 


Cloudflare enables tenant control through HTTP gateway policies, which 
can be configured to prevent users from accessing consumer versions of 
applications. Instead of enforcing these policies using on-premise proxy 
servers via corporate VPNs, Cloudflare filters and inspects all traffic and 
requests through a vast global network of data centers — so your users 
never experience increased latency or degraded performance. 


Prevent corporate data from leaving your tenants 


Cloudflare makes it easy to build and deploy Zero Trust browsing policies to 
control and protect the data that lives within your web-based applications. 
All application code is executed in a secure headless browser running 
remotely across our massive global network, rather than endpoint devices, 
so sensitive data is shielded from compromised or untrusted devices and 
zero-day threats. And administrators retain control over how users access 
and share that data, so you can minimize the risk of accidental data loss or 
more significant data breaches. 


mes EE 


Untrusted interactions 
can be controlled in 
headless browser 


Zero Trust draw 
commands 
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Untrusted 
interactions 


User browser 


Key Features 


Control file down/upload 


Block copy/paste & print 


Sensitive data 


Allow or block browser 
behaviors based 

on multiple criteria, 
including application, 
application type, 
hostname, user identity, 
and security risk 


Control user actions 
within the browser: 
download, upload, 
copy-paste, keyboard 
input, and printing 
functionalities 


Any web app 
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The Cloudflare difference 


(o) Breadth of our platform 


Cloudflare places Zero Trust 


access (ZTNA), gateway (SWG), 


and browser (RBI) controls in 
front of your SaaS applications 
— without requiring your IT 
team to configure and operate 
a dedicated CASB product. 


A Built from scratch 


Cloudflare’s CASB capabilities 
work seamlessly with our 
ZTNA, SWG, and RBI services 
because all are built from 
scratch — eliminating the 
need to juggle multiple point 
products to protect your 
applications and teams. 


Cloudflare helps teams monitor, 
protect, and control SaaS applications 
via a natively integrated suite of 


Zero Trust security capabilities. 


Learn more now 


¥ Single control pane 


Cloudflare allows organizations 
to set policies and manage 
application access and usage 
from a single dashboard — so 
you can monitor all requests 
and permissions at a glance. 
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